From d5f8c7647d14de3ffab543540785410d1562cfdd Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Sun, 19 Jan 2020 14:48:03 +0000
Subject: [PATCH] custom modules and write access

---
 Dockerfile    |  2 +-
 README.md     |  5 ++++-
 entrypoint.sh | 13 ++++++++++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7e3cd5e..3fc12be 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY misc/GeoLite2-Country.mmdb /etc/nginx/geoip.mmdb
 
-RUN apk --no-cache add php7-fpm php7-session certbot libstdc++ libmaxminddb geoip pcre yajl && \
+RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl && \
     chmod +x /opt/entrypoint.sh /opt/scripts/* && \
     mkdir /www && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
diff --git a/README.md b/README.md
index 91cb1d7..075f381 100644
--- a/README.md
+++ b/README.md
@@ -197,6 +197,9 @@ Default value : system, exec, shell_exec, passthru, phpinfo, show_source, highli
 List of PHP functions blacklisted. They can't be used anywhere in PHP code.
 
 ## TODO
-- File permissions hardening
+- run php7-fpm as nginx
+- Edit CONTENT_SECURITY_POLICY default value
+- Possibility to disable stuff with "free" values
 - Custom TLS certificates
 - Documentation
+- Certificate Transparency
diff --git a/entrypoint.sh b/entrypoint.sh
index 1c835fc..a69069d 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -50,7 +50,7 @@ HTTP2="${HTTP2:-yes}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY:-max-age=31536000}"
 PHP_EXPOSE="${PHP_EXPOSE:-no}"
 PHP_DISPLAY_ERRORS="${PHP_DISPLAY_ERRORS:-no}"
-PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/}"
+PHP_OPEN_BASEDIR="${PHP_OPEN_BASEDIR:-/www/:/tmp/}"
 PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN:-no}"
 PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE:-no}"
 PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS:-yes}"
@@ -60,6 +60,12 @@ USE_MODSECURITY="${USE_MODSECURITY:-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY:-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
 COOKIE_FLAGS="${COOKIE_FLAGS:-* HttpOnly}"
 SERVE_FILES="${SERVE_FILES:-yes}"
+WRITE_ACCESS="${WRITE_ACCESS:-no}"
+
+# install additional modules if needed
+if [ "$ADDITIONAL_MODULES" != "" ] ; then
+	apk add $ADDITIONAL_MODULES
+fi
 
 # replace values
 replace_in_file "/etc/nginx/nginx.conf" "%MAX_CLIENT_SIZE%" "$MAX_CLIENT_SIZE"
@@ -239,6 +245,11 @@ else
         replace_in_file "/etc/nginx/server.conf" "%SERVE_FILES%" ""
 fi
 
+# edit access if needed
+if [ "$WRITE_ACCESS" = "yes" ] ; then
+	chown -R root:nginx /www
+	chmod g+w -R /www
+fi
 
 # start PHP
 if [ "$USE_PHP" = "yes" ] ; then